Exploring Software: A Secure UEFI Boot Experience


In this article, the author narrates his experiences with the UEFI boot when installing Fedora and Ubuntu on a Windows 8 UEFI secured netbook. He also outlines the difficulties he encounters and the steps taken by him to overcome them.

The new netbook I got came with Windows 8.1 preinstalled. As expected, it came with a secure UEFI boot as the default option (http://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface). The BIOS did not offer me the choice of using the old style, legacy BIOS boot mode. The only option available was whether to enable or disable the secure boot.
It turned out that installing Linux on the new system was not difficult. There was no need to change even the security setting, at least, for Fedora and Ubuntu.

Installing Fedora 21
After downloading the ISO, I used liveusb-creator to create the bootable USB and it did not work! It turned out that all I needed to do was use dd to copy the ISO file to the USB drive (https://fedoraproject.org/wiki/How_to_create_and_use_Live_USB).
There was nothing special about the installation. Reboot brought up the Grub menu with an option to boot the Windows boot loader. Everything worked fine. This is achieved by the Shim package, which uses the Microsoft signing service for simplicity.
However, just before the Grub menu appeared, there was an error message stating that it could not find some files in the EFI/Boot directory. Blindly copying *.efi files from the /boot/efi/EFI/fedora directory into the /boot/efi/EFI/Boot directory removed the harmless error message as well.

Installing Ubuntu 15.04
Using the dd command to copy the Ubuntu ISO file to the USB drive created a bootable installation USB media. Just as in the case of Fedora, the installation went through without any issue. However, it did not replace the default boot loader from Ubuntu.
So, rebooting brought up the Grub menu of the Fedora installation. Recreating the grub.cfg file using the grub2-mkconfig found the Ubuntu installation.
Rebooting showed Ubuntu as an option. However, it would not boot into Ubuntu because of an invalid key! Disabling the secure boot option in the BIOS allowed Ubuntu to run as well.
Since Windows ran fine from the Fedora Grub menu without my having to change the security settings, it seemed worth trying the same method for Ubuntu, that is, chain to the boot directory of Ubuntu by adding the following option in grub.cfg:

menuentry 'Ubuntu Boot Manager (on /dev/sda2)' {
insmod part_gpt
insmod fat
set root='hd0,gpt2'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2 --hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 0436-31B2
search --no-floppy --fs-uuid --set=root 0436-31B2
chainloader /EFI/ubuntu/shimx64.efi

Only the title and the chainloader command at the end are different from the option to boot into the Windows boot manager. I could enable a secure boot again and boot into Fedora, Ubuntu or Windows.

Switching the default Boot Manager toUbuntu Boot

In both Fedora and Ubuntu, /boot/efi is mounted in the EFI boot partition, which in my case was /dev/sda2. The directory EFI/Boot in this partition is the default boot.
In /boot/efi/EFI, rename Boot to Boot.fedora (for safety) and create a directory, Boot. Copy the files from the Ubuntu directory into Boot. Finally, in Boot/, copy shimx64.efi as bootx64.efi. Now, when you reboot, the Grub menu of Ubuntu will be displayed.
The experience of using the secure boot environment turned out to be far easier than expected, especially for the larger distributions like Fedora and Ubuntu. However, turning off the security option and ignoring the warning about booting in insecure mode should work easily for any recent distribution thanks to grub-efi. EFI boot is no longer, and may not have been for some time, an unpleasant constraint for Linux users.


Please enter your comment!
Please enter your name here